For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

Description: Apache is updated to version 2.2.22 to address several vulnerabilities, the most serious of which may lead to a denial of service. Further information is available via the Apache web site at http://httpd.apache.org/. This issue does not affect OS X Mountain Lion systems.

Impact: Applications that use CoreText may be vulnerable to an unexpected application termination or arbitrary code execution

&NewLine;

Description: A bounds checking issue existed in the handling of text glyphs, which may lead to out of bounds memory reads or writes. This issue was addressed through improved bounds checking. This issue does not affect Mac OS X v10.6 or OS X Mountain Lion systems.

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

&NewLine;

Description: TrustWave, a trusted root CA, has issued, and subsequently revoked, a sub-CA certificate from one of its trusted anchors. This sub-CA facilitated the interception of communications secured by Transport Layer Security &lpar;TLS&rpar;. This update adds the involved sub-CA certificate to OS X's list of untrusted certificates.

&NewLine;

&NewLine;

&NewLine;

&NewLine;

DirectoryService

&NewLine;

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8

&NewLine;

Impact: If the DirectoryService Proxy is used, a remote attacker may cause a denial of service or arbitrary code execution

&NewLine;

Description: A buffer overflow existed in the DirectoryService Proxy. This issue was addressed through improved bounds checking. This issue does not affect OS X Lion and Mountain Lion systems.

Impact: Remote admins and persons with physical access to the system may obtain account information

&NewLine;

Description: The fix for CVE-2012-0652 in OS X Lion 10.7.4 prevented user passwords from being recorded in the system log, but did not remove the old log entries. This issue was addressed by deleting log files that contained passwords. This issue does not affect Mac OS X 10.6 or OS X Mountain Lion systems.

Description: A logic issue existed in the handling of debug system calls. This may allow a malicious program to gain code execution in other programs with the same user privileges. This issue was addressed by disabling handling of addresses in PT&lowbar;STEP and PT&lowbar;CONTINUE. This issue does not affect OS X Mountain Lion systems.

&NewLine;

CVE-ID

&NewLine;

CVE-2012-0643 : iOS Jailbreak Dream Team

&NewLine;

&NewLine;

&NewLine;

&NewLine;

LoginWindow

&NewLine;

Available for: OS X Mountain Lion v10.8 and v10.8.1

&NewLine;

Impact: A local user may be able to obtain other user's login passwords

&NewLine;

Description: A user-installed input method could intercept password keystrokes from Login Window or Screen Saver Unlock. This issue was addressed by preventing user-installed methods from being used when the system is handling login information.

Impact: Viewing an e-mail message may lead to execution of web plugins

&NewLine;

Description: An input validation error existed in Mail's handling of embedded web plugins. This issue was addressed by disabling third-party plug-ins in Mail. This issue does not affect OS X Mountain Lion systems.

&NewLine;

CVE-ID

&NewLine;

CVE-2012-3719 : Will Dormann of the CERT/CC

&NewLine;

&NewLine;

&NewLine;

&NewLine;

Mobile Accounts

&NewLine;

Available for: OS X Mountain Lion v10.8 and v10.8.1

&NewLine;

Impact: A user with access to the contents of a mobile account may obtain the account password

&NewLine;

Description: Creating a mobile account saved a hash of the password in the account, which was used to login when the mobile account was used as an external account. The password hash could be used to determine the user's password. This issue was addressed by creating the password hash only if external accounts are enabled on the system where the mobile account is created.

Description: >PHP is updated to version 5.3.15 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP web site at http://www.php.net

Impact: PHP scripts which use libpng may be vulnerable to an unexpected application termination or arbitrary code execution

&NewLine;

Description: A memory corruption issue existed in the handling of PNG files. This issue was addressed by updating PHP's copy of libpng to version 1.5.10. This issue does not affect OS X Mountain Lion systems.

&NewLine;

CVE-ID

&NewLine;

CVE-2011-3048

&NewLine;

&NewLine;

&NewLine;

&NewLine;

Profile Manager

&NewLine;

Available for: OS X Lion Server v10.7 to v10.7.4

&NewLine;

Impact: An unauthenticated user could enumerate managed devices

&NewLine;

Description: An authentication issue existed in the Device Management private interface. This issue was addressed by removing the interface.

Impact: Viewing a maliciously crafted .pict file may lead to an unexpected application termination or arbitrary code execution

&NewLine;

Description: A memory corruption issue existed in the handling of .pict files. This issue was addressed through improved validation of .pict files. This issue does not affect OS X Mountain Lion systems.

Description: There are known attacks on the confidentiality of SSL 3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode. The Ruby OpenSSL module disabled the 'empty fragment' countermeasure which prevented these attacks. This issue was addressed by enabling empty fragments. This issue does not affect OS X Mountain Lion systems.

Impact: Attaching a USB device may lead to an unexpected system termination or arbitrary code execution

&NewLine;

Description: A memory corruption issue existed in the handling of USB hub descriptors. This issue was addressed through improved handling of the bNbrPorts descriptor field. This issue does not affect OS X Mountain Lion systems.

&NewLine;

CVE-ID

&NewLine;

CVE-2012-3723 : Andy Davis of NGS Secure

&NewLine;

&NewLine;

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.